security fixes

Gavin McCullagh gavin.mccullagh at gcd.ie
Wed May 11 12:14:09 CEST 2011


Hi,

there have been several security bugs in Postfix recently (and I believe
there was one in Cyrus).  I realise Kolab is a small operation, but I've
not seen much in the way of security disclosures.  

I see these, the last one of which was 16 months ago. 

http://www.kolab.org/security/kolab-vendor-notice-27.txt

Is that really the last security flaw in the kolab distribution?

Gavin

----- Forwarded message from Marc Deslauriers <marc.deslauriers at canonical.com> -----

From: Marc Deslauriers <marc.deslauriers at canonical.com>
Subject: [USN-1131-1] Postfix vulnerability
To: ubuntu-security-announce at lists.ubuntu.com
Cc: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com
Date: Wed, 11 May 2011 05:54:37 -0400
Reply-To: ubuntu-users at lists.ubuntu.com, Ubuntu Security <security at ubuntu.com>

==========================================================================
Ubuntu Security Notice USN-1131-1
May 11, 2011

postfix vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
- Ubuntu 6.06 LTS

Summary:

An attacker could send crafted input to Postfix and cause it to crash or
run programs.

Software Description:
- postfix: High-performance mail transport agent

Details:

Thomas Jarosch discovered that Postfix incorrectly handled authentication
mechanisms other than PLAIN and LOGIN when the Cyrus SASL library is used.
A remote attacker could use this to cause Postfix to crash, leading to a
denial of service, or possibly execute arbitrary code as the postfix user.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
  postfix                         2.8.2-1ubuntu2.1

Ubuntu 10.10:
  postfix                         2.7.1-1ubuntu0.2

Ubuntu 10.04 LTS:
  postfix                         2.7.0-1ubuntu0.2

Ubuntu 8.04 LTS:
  postfix                         2.5.1-2ubuntu1.4

Ubuntu 6.06 LTS:
  postfix                         2.2.10-1ubuntu0.4

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-1720

Package Information:
  https://launchpad.net/ubuntu/+source/postfix/2.8.2-1ubuntu2.1
  https://launchpad.net/ubuntu/+source/postfix/2.7.1-1ubuntu0.2
  https://launchpad.net/ubuntu/+source/postfix/2.7.0-1ubuntu0.2
  https://launchpad.net/ubuntu/+source/postfix/2.5.1-2ubuntu1.4
  https://launchpad.net/ubuntu/+source/postfix/2.2.10-1ubuntu0.4





-- 
ubuntu-security-announce mailing list
ubuntu-security-announce at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


----- End forwarded message -----

-- 
Gavin McCullagh
Senior System Administrator
IT Services
Griffith College 
South Circular Road
Dublin 8
Ireland
Tel: +353 1 4163365
http://www.gcd.ie
http://www.gcd.ie/brochure.pdf
http://www.gcd.ie/opendays
http://www.gcd.ie/ebrochure

This E-mail is from Griffith College.
The E-mail and any files transmitted with it are confidential and may be
privileged and are intended solely for the use of the individual or entity
to whom they are addressed. If you are not the addressee you are prohibited
from disclosing its content, copying it or distributing it otherwise than to
the addressee. If you have received this e-mail in error, please immediately
notify the sender by replying to this e-mail and delete the e-mail from your
computer.

Bellerophon Ltd, trades as Griffith College (registered in Ireland No.
60469) with its registered address as Griffith College Campus, South
Circular Road, Dublin 8, Ireland.




More information about the users mailing list